‘Rosegold’ National Lottery hacker steals £5, lands prison sentence

International law enforcement operation brings down IM-RAT hacking toolEuropol reports 14 arrests across eight countries, including the RAT’s creator, in Australia.

A man who participated in a scheme to break into the UK’s National Lottery website and hijack customer accounts has been jailed for nine months.

Anwar Batson, from Notting Hill, London, provided others with help and tuition to compromise the lottery’s operator, Camelot, the UK’s National Crime Agency (NCA) said last week.

The 29-year-old, together with Daniel Thompson, Idris Kayode Akinwunmi, and others schemed over ways to make quick cash from the lottery and Batson suggested the use of Sentry MBA to crack and access user accounts.

Sentry MBA is an automated cracking tool that is widely available online. The software suite can be used in credential stuffing attacks when there is a lack of anti-automation protections, taking the need to have any technical knowledge out of the equation to slam an online service with lists of weak password and user combinations, as well as compromised account combinations leaked through data dumps and paste websites.

Under the name “Rosegold,” the 29-year-old “told others they could make quick cash” using Sentry MBA and held conversations “about hacking, buying and selling of username and password lists, configuration files, and personal details,” UK prosecutors said.

In 2016, the NCA was made aware that a cyberattack had taken place against the National Lottery. The organization emphasized that core systems responsible for draws were not impacted, but a database containing millions of records was in the line of fire.

At the time, the National Lottery said approximately 27,000 player accounts were accessed due to “suspicious activity” and information including names, contact details, dates of birth, and limited payment card data may have been exposed.

In Batson’s case, the tool was used to grab credentials — including those of one lottery player who had £13 stolen from his account by Akinwunmi, £5 of which was sent to Baston.

The payout was small, but it still counts as fraud and an offense under the UK’s 1990 Computer Misuse Act. The National Lottery’s operator, however, had to pay £230,000 responding to the attacks and 250 customers closed their accounts in response to the publicity surrounding the incident, according to The Register.

After pleading guilty to four offenses under the act and one count of fraud in Southwark Crown Court, Batson has been ordered to spend nine months behind bars. Originally, Batson denied any involvement.

Thompson and Akinwunmi were jailed in 2018 for eight months and four months respectively after being accused of bombarding the National Lottery website with brute-force cracking attempts.

“Even the most basic forms of cybercrime can have a substantial impact on victims,” said NCA senior investigating officer Andrew Shorrock. “No one should think cybercrime is victimless or that they can get away with it.”

Last week, a US citizen was jailed for four years by the US Department of Justice (DoJ) for widespread identity theft. Babatunde Olusegun Taiwo participated in a scam in which the personal identifying information (PII) of individuals, leaked through a prior data breach, was harnessed to file fraudulent tax returns and refund claims with the US Internal Revenue Service (IRS).

In total, Taiwo and co-defendants filed for over $12 million in refunds. The IRS paid out $800,000 before law enforcement became involved.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0